CVE-2024-40522

HIGH

SeaCMS 12.9 - Authenticated Remote Code Execution via phomebak.php Variable Injection

Title source: llm

Description

There is a remote code execution vulnerability in SeaCMS 12.9. The vulnerability is caused by phomebak.php writing some variable names passed in without filtering them before writing them into the php file. An authenticated attacker can exploit this vulnerability to execute arbitrary commands and obtain system permissions.

References (1)

Core 1

Core References

Exploit

https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20phomebak.php%20code%20injection.md

Scores

CVSS v3 8.8

EPSS 0.0640

EPSS Percentile 91.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

seacms/seacms 12.9

Published Jul 12, 2024

Tracked Since Feb 18, 2026